search

chakra-core / ChakraCore

ChakraCore is an open source Javascript engine with a C API.
MIT License
9.12k stars 1.2k forks source link

ASSERTION Failure: (tmpReg == this->curTmpReg - 1) #6488

Open Changochen opened 4 years ago

Changochen commented 4 years ago

Version: ch version 1.12.0.0-beta

Git hash: 33db8efd9f02cd528a7305391d7d10765a2e85f3

POC :

var a = [1];
a[import(a)++];

In release build, the stack dump is:

#0  0x000055555579bb41 in ReportFatalException ()
#1  0x000055555579bc49 in OutOfMemory_unrecoverable_error() ()
#2  0x0000555555ce902c in Js::Exception::RaiseIfScriptActive(Js::ScriptContext*, unsigned int, void*) ()
#3  0x000055555579bde9 in Js::Throw::OutOfMemory() ()
#4  0x0000555555790df9 in Math::DefaultOverflowPolicy() ()
#5  0x0000555555871c71 in FuncInfo::AcquireLoc(ParseNode*) ()
#6  0x0000555555cf3689 in Emit(ParseNode*, ByteCodeGenerator*, FuncInfo*, int, bool, bool) ()
#7  0x0000555555cf0aea in ByteCodeGenerator::EmitTopLevelStatement(ParseNode*, FuncInfo*, int) ()
#8  0x0000555555cfa1bc in ByteCodeGenerator::EmitGlobalBody(FuncInfo*) ()
#9  0x0000555555cfbaa3 in ByteCodeGenerator::EmitOneFunction(ParseNodeFnc*) ()
#10 0x0000555555cfa571 in ByteCodeGenerator::EmitScopeList(ParseNode*, ParseNode*) ()
#11 0x000055555582e284 in ByteCodeGenerator::Generate(ParseNodeProg*, unsigned int, ByteCodeGenerator*, Js::ParseableFunctionInfo**, unsigned int, bool, Parser*, Js::ScriptFunction**) ()
#12 0x000055555582fcbf in GenerateByteCode(ParseNodeProg*, unsigned int, Js::ScriptContext*, Js::ParseableFunctionInfo**, unsigned int, bool, Parser*, CompileScriptException*, Js::ScopeInfo*, Js::ScriptFunction**) ()
#13 0x00005555558079dc in Js::ScriptContext::LoadScriptInternal(Parser*, unsigned char const*, unsigned long, SRCINFO const*, CompileScriptException*, Js::Utf8SourceInfo**, char16_t const*, LoadScriptFlag, void*) ()
#14 0x0000555555807c6e in Js::ScriptContext::LoadScript(unsigned char const*, unsigned long, SRCINFO const*, CompileScriptException*, Js::Utf8SourceInfo**, char16_t const*, LoadScriptFlag, void*) ()
#15 0x0000555555733472 in RunScriptCore(void*, unsigned char const*, unsigned long, LoadScriptFlag, unsigned long, char16_t const*, bool, _JsParseScriptAttributes, bool, void**) ()
#16 0x0000555555736eab in JsRun ()
#17 0x00005555556d4c19 in RunScript(char const*, char const*, unsigned long, void (*)(void*), void*, char*, void*) ()
#18 0x00005555556d5c05 in ExecuteTest(char const*) ()
#19 0x00005555556d62ab in main ()
#20 0x00007ffff67d3b97 in __libc_start_main (main=0x5555556d5c90 <main>, argc=0x2, argv=0x7fffffffe518,
    init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe508)
    at ../csu/libc-start.c:310
#21 0x00005555556d3c8a in _start ()
ppenzin commented 4 years ago

I can confirm this on Linux and Windows. Usually those kind of asserts correspond to virtual registers not released, though I am yet sure about the inner mechanics in this case - there might be an issue chakra is not catching.